Cashgopher isn't that innocent after all

http://i842.photobucket.com/albums/zz346/EyeStabber/cashgopher.jpgI noticed some problems with blogger and wordpress when some weird geoads script keep appearing in my post, even though I didn't put them in! This slows down my blog tremendously. After some research, I discovered that Cashgopher is the one at fault.

Below is the site that explains it.

From http://klickjobs.biz/index.php?option=com_kunena&Itemid=266&func=view&catid=48&id=948 

here are some experiences from us and some other informations about Cash Gopher
collected from the internet/forums/blogs.

1) We all know you must install the CashGopher software to use it and to login.
2) It is not really clear what the software is doing but we saw a connection to geoads.com
(geoads is something like AdHitz or InfoLinks)
3) The software installs in addition and automatically and without permition a FireFox Addon
This AddOn "overwrites" Ad banners like from AdHitz or BidVertiser with its own Ads.
It replaces the Ads with its own ads when you surf with FireFox that you will not see the
actual advertisements from the site you visit. It shows you the GeoAds ads.
4) Furthermore: We have a "Vslave Computer" here, or also called "VirusSlave".
This is a computer we only use for testing sites or software which might be infected by trojans
or viruses. We install software on this PC and we check what the software is doing.
We also enable and disable our Virus Protections and/or Firewalls to test if something will happen.
There is also a FTP program installed on this computer in order to test if some tools will
install a "js.Frame Trojan" on your ftp to infect your website (FTP) with a virus which adds
automatically java codes to your html pages to show and overwrite other ads than you have installed.

Well, we guess that the CashGopher software is doing this. (pls check all pictures below!)
After installing and running the CashGopher software nothing strange happens, but after a while
we noticed some strange things.
1) Any site we visit opens other ads and geo-targeted ads (in our language) at the same place where
the AdHitz ads or InfoLinks ads were. Very often they break also the website template.
2) We had a sneaking suspicion that this is caused by the CashGopher software, so we took a closer
look. We disabled the Virus Detection and FireWall on the "VSlave", we visited some sites and the
status bar from FireFox (the bottom of the browser) shows us "waiting for CashGopher...".
Then a new tab opens where the status bar shows "waiting for GeoAds.com..." then some advertisments
I think the software collides with other javascript Ad banners or its the intention of this software
to overwrite the ads to show its own ads. THIS IS ILLEGAL AND A FRAUD!
3) Then we tested the "FTP Infection" on our "VSlave" and this confirmed our suspicion.
As you can see in the picture below there is a javascript code added to the html which is not from us!
We never added this code and we don't use GeoAds.
At this moment the CashGopher software is running.
We removed the code, saved the html and refreshed the page. Our AdHitz ads were displaced by GeoAds ads.
We looked at the html code and the javascript code is back! There is no chance to delete it!
It's a virus with an implemented trojan on our "VSlave" which has access to our FTP flies right in the
moment when we're logged in our FTP!
Then we de-installed the CashGopher software AND the FireFox AddOn.
We started searching with "Kaspersky Business Space Security" and it found a Trojan
called "java.Agent.xx" and "Exploit.java.Agent" - we removed it successfully.

We re-started the "VSlave" PC.
We opened again the html, deleted the GeoAds code, saved it, refreshed the page.
All is working fine. No replacement of our ads, no other ads on other websites.
No re-direction to geoads.com.
2nd check with Kaspersky: System is clean - FTP is clean.

We must assume that the CashGopher software installs some more things on the computer and its
very well coded to infect also FTP clients. This is a forbidden and illegal method to infect
the whole FTP/website to show ads and to do other things.
It can also spy out a complete database with usernames, emails and passwords.
Again: "IT CAN!" I don't say that the CashGopher is doing this but for us its clear that the
FireFox AddOn replaces other advertisements and that it encroaches deeply into the system.

Here are some picture proofs:

CashGopher FireFox Add-On:

GeoAds replaces other ads and added more Mouse-Over ads to websites:

FTP/html code from GeoAds added (FTP infection from "java.Agent.xx"):

Links to some threads where these and other things were also mentioned by other users:

7. by BrightSky
"First I notice it will added in to FireFox as add-on extension.
Each time I load a page, it will try to connect js.geoads.com."

Strange issues after using CashGopher

CashGopher changes advertisements! Crashed FireFox!

Complaints and issues!

We sent several support tickets to the CashGopher support regarding these problems but we got no
answer yet.
We sent also some questions about some issues in the Account settings because they won't be saved.
So, we cannot add our paypal email or other things. We got no answers yet.
We earned $0.02 within 5 days. Not much, the software was running more than 50 hours.

We deinstalled the CashGopher software and we cannot recommend it.
It is not clear what it is doing exactly, the earnings are very low and there are strange things going on.
We highly recommended to keep an eye on this software (and on the computer where it's installed)
and we suggest the myLot team to check if their software is working correctly.

No comments:

Related Posts Plugin for WordPress, Blogger...